NTP Server Configuration

To configure the NTP Server:

  • Navigate to Services > NTP

  • Configure the settings as follows:

    Interface

    Select the interface(s) to use for NTP. The NTP daemon binds to all interfaces by default to receive replies properly. This may be minimized by selecting at least one interface to bind, but that interface will also be used to source the NTP queries sent out to remote servers, not only to serve clients. Deselecting all interfaces is the equivalent of selecting all interfaces.

    Time Servers

    A list of servers to query in order to keep the clock of this firewall synchronized. This list is initially pulled from the entries under System > General Setup. For best results, we recommend using at least three servers, but no more than five. Click fa-plus Add to configured additional time servers.

    Prefer

    When checked, this NTP server entry is favored by the NTP daemon over others.

    No Select

    When checked, this NTP server is not used for time synchronization, but only to display statistics.

    Orphan Mode

    Orphan mode uses the system clock when no other clocks are available, otherwise clients will not receive a response when other servers are unreachable. The value entered here is the stratum used for Orphan Mode, and is typically set high enough that live servers are preferred. The default value is 12.

    NTP Graphs

    Check to enable RRD graphs for NTP server statistics.

    Logging

    When logging options are active, NTP logs are written using syslog and may be found under Status > System Logs, on the NTP tab.

    Log Peer Messages

    When checked, NTP will log messages about peer events, information, and status.

    Log System Messages

    When checked, NTP will log messages about system events, information, and status.

    Statistics Logging

    Click fa-cog Show Advanced to view these options. When enabled, NTP will create persistent daily log files in /var/log/ntp to keep statistics data. The format of the statistics records in the log files can be found in the ntp.conf man page

    Log reference clock statistics

    When checked, NTP records clock driver statistics on each update.

    Log clock discipline statistics

    When checked, NTP records loop filter statistics on each update of the local clock.

    Log NTP Peer Statistics

    When checked, NTP records statistics for all peers of the NTP daemon, along with special signals.

    Leap Seconds

    Click fa-cog Show Advanced to view these options. Defines the contents of the Leap Second file, used by NTP to announce upcoming leap seconds to clients. This is typically used only by stratum 1 servers. The exact format of the file may be found on the IETF leap second list

  • Click Save

Access Restrictions

Access restrictions (ACLs) are configured on the ACL tab under Services > NTP. These ACLs control how NTP interacts with clients.

Default Access Restrictions

Control behavior for all clients by default.

Kiss-o’-Death

When set, NTP will send a KoD packet when an access violation occurs. Such packets are rate limited and no more than one per second will be sent.

Modifications

When set, ntpq and ntpdc queries that attempt to change the configuration of the server are denied, but informational queries are returned.

Queries

When set, all queries from ntpq and ntpdc are denied.

Warning

Setting this will effectively disable the NTP status page, which relies on ntpq.

Service

When set, NTP will deny all packets except queries from ntpq and ntpdc.

Peer Association

When set, NTP denies packets that would result in a new peer association, including broadcast and symmetric active packets for peers without an existing association.

Trap Service

When set, NTP will not provide mode 6 control message trap service, used for remote event logging.

Custom Access Restrictions

Defines the behavior for specific client addresses or subnets. Click fa-plus Add to add a new network definition.

Network/mask

The subnet and mask to define the client controlled by the restrictions in this entry.

Restrictions

The option names are abbreviated versions of those in the default list, in the same order.

Click Save to store the ACLs.